1 /* SPDX-License-Identifier: GPL-2.0 */
2 /*
3 * Copyright 2019 Google LLC
4 */
5 #ifndef __LINUX_BIO_CRYPT_CTX_H
6 #define __LINUX_BIO_CRYPT_CTX_H
7
8 enum blk_crypto_mode_num {
9 BLK_ENCRYPTION_MODE_INVALID,
10 BLK_ENCRYPTION_MODE_AES_256_XTS,
11 BLK_ENCRYPTION_MODE_AES_128_CBC_ESSIV,
12 BLK_ENCRYPTION_MODE_ADIANTUM,
13 BLK_ENCRYPTION_MODE_MAX,
14 };
15
16 #ifdef CONFIG_BLOCK
17 #include <linux/blk_types.h>
18
19 #ifdef CONFIG_BLK_INLINE_ENCRYPTION
20
21 #define BLK_CRYPTO_MAX_KEY_SIZE 64
22 #define BLK_CRYPTO_MAX_WRAPPED_KEY_SIZE 128
23
24 /**
25 * struct blk_crypto_key - an inline encryption key
26 * @crypto_mode: encryption algorithm this key is for
27 * @data_unit_size: the data unit size for all encryption/decryptions with this
28 * key. This is the size in bytes of each individual plaintext and
29 * ciphertext. This is always a power of 2. It might be e.g. the
30 * filesystem block size or the disk sector size.
31 * @data_unit_size_bits: log2 of data_unit_size
32 * @size: size of this key in bytes (determined by @crypto_mode)
33 * @hash: hash of this key, for keyslot manager use only
34 * @raw: the raw bytes of this key. Only the first @size bytes are used.
35 *
36 * A blk_crypto_key is immutable once created, and many bios can reference it at
37 * the same time. It must not be freed until all bios using it have completed.
38 */
39 struct blk_crypto_key {
40 enum blk_crypto_mode_num crypto_mode;
41 unsigned int data_unit_size;
42 unsigned int data_unit_size_bits;
43 unsigned int size;
44 unsigned int hash;
45 u8 raw[BLK_CRYPTO_MAX_WRAPPED_KEY_SIZE];
46 };
47
48 #define BLK_CRYPTO_MAX_IV_SIZE 32
49 #define BLK_CRYPTO_DUN_ARRAY_SIZE (BLK_CRYPTO_MAX_IV_SIZE/sizeof(u64))
50
51 /**
52 * struct bio_crypt_ctx - an inline encryption context
53 * @bc_key: the key, algorithm, and data unit size to use
54 * @bc_keyslot: the keyslot that has been assigned for this key in @bc_ksm,
55 * or -1 if no keyslot has been assigned yet.
56 * @bc_dun: the data unit number (starting IV) to use
57 * @bc_ksm: the keyslot manager into which the key has been programmed with
58 * @bc_keyslot, or NULL if this key hasn't yet been programmed.
59 *
60 * A bio_crypt_ctx specifies that the contents of the bio will be encrypted (for
61 * write requests) or decrypted (for read requests) inline by the storage device
62 * or controller, or by the crypto API fallback.
63 */
64 struct bio_crypt_ctx {
65 const struct blk_crypto_key *bc_key;
66 int bc_keyslot;
67
68 /* Data unit number */
69 u64 bc_dun[BLK_CRYPTO_DUN_ARRAY_SIZE];
70
71 /*
72 * The keyslot manager where the key has been programmed
73 * with keyslot.
74 */
75 struct keyslot_manager *bc_ksm;
76 };
77
78 int bio_crypt_ctx_init(void);
79
80 struct bio_crypt_ctx *bio_crypt_alloc_ctx(gfp_t gfp_mask);
81
82 void bio_crypt_free_ctx(struct bio *bio);
83
bio_has_crypt_ctx(struct bio * bio)84 static inline bool bio_has_crypt_ctx(struct bio *bio)
85 {
86 return bio->bi_crypt_context;
87 }
88
89 void bio_crypt_clone(struct bio *dst, struct bio *src, gfp_t gfp_mask);
90
bio_crypt_set_ctx(struct bio * bio,const struct blk_crypto_key * key,u64 dun[BLK_CRYPTO_DUN_ARRAY_SIZE],gfp_t gfp_mask)91 static inline void bio_crypt_set_ctx(struct bio *bio,
92 const struct blk_crypto_key *key,
93 u64 dun[BLK_CRYPTO_DUN_ARRAY_SIZE],
94 gfp_t gfp_mask)
95 {
96 struct bio_crypt_ctx *bc = bio_crypt_alloc_ctx(gfp_mask);
97
98 bc->bc_key = key;
99 memcpy(bc->bc_dun, dun, sizeof(bc->bc_dun));
100 bc->bc_ksm = NULL;
101 bc->bc_keyslot = -1;
102
103 bio->bi_crypt_context = bc;
104 }
105
106 void bio_crypt_ctx_release_keyslot(struct bio_crypt_ctx *bc);
107
108 int bio_crypt_ctx_acquire_keyslot(struct bio_crypt_ctx *bc,
109 struct keyslot_manager *ksm);
110
111 struct request;
112 bool bio_crypt_should_process(struct request *rq);
113
bio_crypt_dun_is_contiguous(const struct bio_crypt_ctx * bc,unsigned int bytes,u64 next_dun[BLK_CRYPTO_DUN_ARRAY_SIZE])114 static inline bool bio_crypt_dun_is_contiguous(const struct bio_crypt_ctx *bc,
115 unsigned int bytes,
116 u64 next_dun[BLK_CRYPTO_DUN_ARRAY_SIZE])
117 {
118 int i = 0;
119 unsigned int inc = bytes >> bc->bc_key->data_unit_size_bits;
120
121 while (i < BLK_CRYPTO_DUN_ARRAY_SIZE) {
122 if (bc->bc_dun[i] + inc != next_dun[i])
123 return false;
124 inc = ((bc->bc_dun[i] + inc) < inc);
125 i++;
126 }
127
128 return true;
129 }
130
131
bio_crypt_dun_increment(u64 dun[BLK_CRYPTO_DUN_ARRAY_SIZE],unsigned int inc)132 static inline void bio_crypt_dun_increment(u64 dun[BLK_CRYPTO_DUN_ARRAY_SIZE],
133 unsigned int inc)
134 {
135 int i = 0;
136
137 while (inc && i < BLK_CRYPTO_DUN_ARRAY_SIZE) {
138 dun[i] += inc;
139 inc = (dun[i] < inc);
140 i++;
141 }
142 }
143
bio_crypt_advance(struct bio * bio,unsigned int bytes)144 static inline void bio_crypt_advance(struct bio *bio, unsigned int bytes)
145 {
146 struct bio_crypt_ctx *bc = bio->bi_crypt_context;
147
148 if (!bc)
149 return;
150
151 bio_crypt_dun_increment(bc->bc_dun,
152 bytes >> bc->bc_key->data_unit_size_bits);
153 }
154
155 bool bio_crypt_ctx_compatible(struct bio *b_1, struct bio *b_2);
156
157 bool bio_crypt_ctx_mergeable(struct bio *b_1, unsigned int b1_bytes,
158 struct bio *b_2);
159
160 #else /* CONFIG_BLK_INLINE_ENCRYPTION */
bio_crypt_ctx_init(void)161 static inline int bio_crypt_ctx_init(void)
162 {
163 return 0;
164 }
165
bio_has_crypt_ctx(struct bio * bio)166 static inline bool bio_has_crypt_ctx(struct bio *bio)
167 {
168 return false;
169 }
170
bio_crypt_clone(struct bio * dst,struct bio * src,gfp_t gfp_mask)171 static inline void bio_crypt_clone(struct bio *dst, struct bio *src,
172 gfp_t gfp_mask) { }
173
bio_crypt_free_ctx(struct bio * bio)174 static inline void bio_crypt_free_ctx(struct bio *bio) { }
175
bio_crypt_advance(struct bio * bio,unsigned int bytes)176 static inline void bio_crypt_advance(struct bio *bio, unsigned int bytes) { }
177
bio_crypt_ctx_compatible(struct bio * b_1,struct bio * b_2)178 static inline bool bio_crypt_ctx_compatible(struct bio *b_1, struct bio *b_2)
179 {
180 return true;
181 }
182
bio_crypt_ctx_mergeable(struct bio * b_1,unsigned int b1_bytes,struct bio * b_2)183 static inline bool bio_crypt_ctx_mergeable(struct bio *b_1,
184 unsigned int b1_bytes,
185 struct bio *b_2)
186 {
187 return true;
188 }
189
190 #endif /* CONFIG_BLK_INLINE_ENCRYPTION */
191
192 #if IS_ENABLED(CONFIG_DM_DEFAULT_KEY)
bio_set_skip_dm_default_key(struct bio * bio)193 static inline void bio_set_skip_dm_default_key(struct bio *bio)
194 {
195 bio->bi_skip_dm_default_key = true;
196 }
197
bio_should_skip_dm_default_key(const struct bio * bio)198 static inline bool bio_should_skip_dm_default_key(const struct bio *bio)
199 {
200 return bio->bi_skip_dm_default_key;
201 }
202
bio_clone_skip_dm_default_key(struct bio * dst,const struct bio * src)203 static inline void bio_clone_skip_dm_default_key(struct bio *dst,
204 const struct bio *src)
205 {
206 dst->bi_skip_dm_default_key = src->bi_skip_dm_default_key;
207 }
208 #else /* CONFIG_DM_DEFAULT_KEY */
bio_set_skip_dm_default_key(struct bio * bio)209 static inline void bio_set_skip_dm_default_key(struct bio *bio)
210 {
211 }
212
bio_should_skip_dm_default_key(const struct bio * bio)213 static inline bool bio_should_skip_dm_default_key(const struct bio *bio)
214 {
215 return false;
216 }
217
bio_clone_skip_dm_default_key(struct bio * dst,const struct bio * src)218 static inline void bio_clone_skip_dm_default_key(struct bio *dst,
219 const struct bio *src)
220 {
221 }
222 #endif /* !CONFIG_DM_DEFAULT_KEY */
223
224 #endif /* CONFIG_BLOCK */
225
226 #endif /* __LINUX_BIO_CRYPT_CTX_H */
227